Topic: Cycldek: Bridging the (air) gap (Read 604 times)

No. You are never "always on the safe side".
There are multiple ways to infiltrate an air-gapped system.
And there are even more ways to exfiltrate data from such systems. Using a flash drive is just the easiest one. Using the cable of the monitor to emit radio waves is one example. Those radio waves can be received by any mobile phone with an integrated FM receiver.
Malware does exist to do so. There are PoC's available for that. Studies are being done in this field.

You will never achieve to always be safe.
The goal is to increase the security as much as possible, not to have a completely secure setup. Because that is not possible.

No. You are never "always on the safe side".
There are multiple ways to infiltrate an air-gapped system.
And there are even more ways to exfiltrate data from such systems. Using a flash drive is just the easiest one. Using the cable of the monitor to emit radio waves is one example. Those radio waves can be received by any mobile phone with an integrated FM receiver.
Malware does exist to do so. There are PoC's available for that. Studies are being done in this field.

You will never achieve to always be safe.
The goal is to increase the security as much as possible, not to have a completely secure setup. Because that is not possible.

All those  " acoustic, seismic, magnetic, thermal" and so on described by Wikipedia   are just conceptual discussions ("gravitational" falls into the same category). I didn't know any practical case related to them. If you know actual case please share it by providing a link.

You're slowly moving to theoretical attack rather than practical attack, no one would do that unless they know you have tons of cryptocurrency or other confidential/valuable data.

Aside from using USB drive (and probably install OS/application in secure manner) on air-gapped device, i think user don't need to worry about possible attack vector of their air-gapped system.

No. You are never "always on the safe side".
There are multiple ways to infiltrate an air-gapped system.
And there are even more ways to exfiltrate data from such systems. Using a flash drive is just the easiest one. Using the cable of the monitor to emit radio waves is one example. Those radio waves can be received by any mobile phone with an integrated FM receiver.
Malware does exist to do so. There are PoC's available for that. Studies are being done in this field.

You will never achieve to always be safe.
The goal is to increase the security as much as possible, not to have a completely secure setup. Because that is not possible.

Use instead QR codes and   optical path to hand it over and you'll be always on the safe  side

Stealing through USB drives is nothing new, it'd be different it uses audio medium (fan, speaker, etc.) or monitor which usually only happened in movie.

Of course there are ways to infiltrate air gap like Meet USBee, the malware that uses USB drives to covertly jump airgaps.

2. Paper wallet

Two implants, two clusters - named BlueCore and RedCore

When inspecting the NewCore RAT malware delivered during the various attacks we investigated, we were able to distinguish between two variants. Both were deployed as side-loaded DLLs and shared multiple similarities, both in code and behavior. At the same time, we noticed differences that indicate the variants could have been used by different operators.

Info stealing and lateral movement toolset

During the analysis, we were able to observe a variety of tools downloaded from both BlueCore and RedCore implants used for either lateral movement in the compromised networks or information stealing from infected nodes. There were several types of these tools – some were proprietary and formerly unseen in the wild; others were pieces of software copied from open-source post-exploitation frameworks, some of which were customized to complete specific tasks by the attackers.

As in the cases of RedCore and BlueCore, the downloaded tools were all invoked as side-loaded DLLs of legitimate signed applications. Such applications included AV components like wsc_proxy.exe (Avast remediation service), qcconsol.exe and mcvsshld.exe (McAfee components), as well as legitimate Microsoft and Google utilities like the resource compiler (rc.exe) and Google Updates (googleupdate.exe). These tools could be used in order to bypass weak security mechanisms like application whitelisting, grant the malware additional permissions during execution or complicate incident response.

As already mentioned, the bulk of these tools are common and widespread among attackers, sometimes referred to as living-off-the-land binaries, or LOLbins. Such tools can be part of open-source and legitimate software, abused to conduct malicious activities. Examples include BrowserHistoryView (a Nirsoft utility to obtain browsing history from common browsers), ProcDump (Sysinternals tools used to dump memory, possibly to obtain passwords from running processes), Nbtscan (command line utility intended to scan IP networks for NetBIOS information) and PsExec (Sysinternals tools used to execute commands remotely in the network, typically used for lateral movement).